Feds Bust International Telephone Hacking Conspiracy

By Roy Mark |
Posted 2009-06-12

The Department of Justice
indicted three individuals June 15 who allegedly hacked into the telephone
systems of large corporations and entities in the United States and abroad, selling
information about the compromised telephone systems to Pakistani nationals
residing in Italy.

Along with the U.S. indictments, Italian law
enforcement raided approximately 10 locations in four regions of Italy and arrested the financiers of
the hacking activity. The DOJ claims the financiers used the information from
the hackers to transmit more than 12 million minutes of telephone calls valued at
more than $55 million over the hacked networks of victim in the United States alone.

"This was an
extensive and well-organized criminal network that worked across
continents," acting U.S. Attorney Ralph J. Marra Jr. said in a
statement. "The hackers we've charged enabled their conspirators in Italy and elsewhere to steal large
amounts of telecommunications capacity, which could then be used to further or
finance just about any sort of nefarious activity here or overseas."

Charged in the New Jersey indictment are Mahmoud Nusier,
40, Paul Michael Kwan, 27, and Nancy Gomez, 24, all currently residing in the Philippines, with conspiracy to commit wire
fraud and unauthorized access to computer systems and other counts. Nusier is a
Jordanian national; Kwan and Gomez are Philippine nationals.

According to the DOJ, two
of the ring's financiers in Italy -- dubbed M.Z and S.K -- operated
call center operations in Italy from which their customers would
make calls throughout the world. To increase their profits, M.Z. and S.K. made
efforts to incur as little costs as possible in routing their customers'
telephone calls to the intended call-recipient.

The DOJ claims M.Z. and
S.K. recruited Nusier, Kwan, Gomez and others to hack into the telephone
networks so that telephone calls from the call centers could be transmitted
over the hacked networks. To accomplish their mission, the hackers gained an
intimate familiarity with the programming of the public branch exchange (PBX)
telephone systems.

As the hackers dialed
into the victim systems, they were able to identify the type of PBX system by
the prompts and were thereby able to begin a process -- known as a brute force
attack -- by which they sought to attack vulnerable points of the PBX systems.
Often, the DOJ said, the vulnerable points consisted of telephone extensions
with default passwords still in place.

After using a couple of
methods to exploit the information they gained regarding the hacked PBX
systems, the hackers transmitted the information about the hacked system back
to the financiers. The losses were borne by the victim corporations, and
AT&T and other long distance carriers, which provided the long-distance
telephone service for the victims.

The DOJ said AT&T was
not hacked but was among the companies that carried the long distance calls.

In addition to the
conspiracy count, each of the defendants is charged with two counts of
unauthorized access to a computer system for purposes of committing fraud, and
with the possession of unauthorized access devices, including pass codes to U.S. telephone systems.

The defendants face
maximum prison sentences of five years on the conspiracy count, five years on
each of the two respective unauthorized computer access counts, and 10
additional years on the access device count. In addition, each is subject
to a maximum fine of $250,000 on each count for which they are named, or twice
the gain resulting from the offense, whichever is greater.